Undelete files on fat with Linux

From ThorstensHome
Jump to: navigation, search

I have a digital camera where I accidentially deleted one movie. I want to undelete this movie. Here's how I start:

  • find out the file system type on your SD card 
bort:~ # hexdump -Cn 70 /dev/sda
00000000  eb 3c 90 6d 6b 64 6f 73  66 73 00 00 02 10 01 00  |.<.mkdosfs......|
00000010  02 00 02 00 00 f8 f5 00  20 00 40 00 00 00 00 00  |........ .@.....|
00000020  40 42 0f 00 00 00 29 28  49 ff 47 20 20 20 20 20  |@B....)(I.G     |
00000030  20 20 20 20 20 20 46 41  54 31 36 20 20 20 0e 1f  |      FAT16   ..|
00000040  be 5b 7c ac 22 c0                                 |.[|.".|

this is a FAT 16 filesystem.

  • I move the content of the sd card into a file: 
dd if=/dev/sda of=fat16.img

I save a verbatim copy 

cp fat16.img fat16-1.img

I add a file thorsten to the image: 

mkdir -p /mnt/loop
mount -o fat16.img /mnt/loop
touch /mnt/loop/thorsten
umount /mnt/loop

I compare the old and the new image: 

cp fat16.img fat16-2.img
hexdump fat16-1.img >fat16-1.txt
hexdump fat16-2.img >fat16-2.txt
diff fat-1.txt fat-2.txt
0030e00 7441 6800 6f00 7200 7300 0f00 6300 0074
0030e10 0065 006e 0000 ffff ffff 0000 ffff ffff
0030e20 4854 524f 5453 4e45 2020 2020 0000 6c58
0030e30 388b 388b 0000 6c58 388b 0000 0000 0000
0030e40 0000 0000 0000 0000 0000 0000 0000 0000
*

We see, the only changes in having or not having a file in the \ folder are between 0030e00 and 0030e40

next step 

mount -o fat16.img /mnt/loop
echo hallo>/mnt/loop/thorsten
cat /mnt/loop/thorsten
hallo
umount /mnt/loop
cp fat16.img fat16-3.img
hexdump fat16-3.img >fat16-3.txt
diff fat-2.txt fat-3.txt
16c16
0000200 fff8 ffff 0000 0000 0000 0000 0000 0000
---
0000200 fff8 ffff 0000 ffff 0000 0000 0000 0000
19c19
0018800 fff8 ffff 0000 0000 0000 0000 0000 0000
---
0018800 fff8 ffff 0000 ffff 0000 0000 0000 0000
24,25c24,25
< 0030e20 4854 524f 5453 4e45 2020 2020 0000 6c58
< 0030e30 388b 388b 0000 6c58 388b 0000 0000 0000
---
> 0030e20 4854 524f 5453 4e45 2020 2020 0000 6e34
> 0030e30 388b 388b 0000 6e34 388b 0003 0006 0000
27a28,30
> 0035600 6168 6c6c 0a6f 0000 0000 0000 0000 0000
> 0035610 0000 0000 0000 0000 0000 0000 0000 0000
> *

We see the fat is at 0000200 and at 0018800 at least. We also see the bulk data is at 0035600: 68 is h, 61 is e, 6c is l, 67 is o. We have little endian here, so the "o" is "behind" the 0a.


Retrieved from "http://www.staerk.de/thorsten/index.php?title=Undelete_files_on_fat_with_Linux&oldid=820"